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CLAIMS 

What is claimed is: 
11. A networking method comprising: 

2 receiving descriptive data of networking traffic including timing data of the 

3 network traffic; 

4 analyzing said timing data of the network traffic to determine whether the 

5 timing data is to be considered as an aberration; and 

6 modifying the timing data if the timing data is to be considered as an 

7 aberration. 

1 2. The method of claim 1 , wherein said descriptive data of network traffic are 

2 network traffic flow oriented. 

1 3. The method of claim 1 , wherein said analyzing comprises comparing said 

2 timing data to timing patterns of previously received network traffic. 

1 4. The method of claim 1 , wherein said modifying comprises modifying said 

2 timing data to conform to timing patterns of earlier network traffic for which 

3 descriptive data were received. 

1 5. The method of claim 4, wherein said method further comprises updating said 

2 timing patterns of earlier network traffic with said time data of the network traffic for 

3 which descriptive data was received. 
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1 6. The method of claim 5, wherein said updating of the timing patterns of earlier 

2 network traffic comprises weighing timing data of network traffic in a manner that 

3 biases towards the timing data of earlier network traffic over timing data of later 

4 network traffic. 

1 7. An apparatus comprises: 

2 storage medium having stored therein a plurality of programming instructions 

3 designed to implement a network traffic data collection function, when executed, 

4 enables the apparatus to 

5 receive descriptive data of networking traffic including timing data of the 

6 network traffic, 

7 analyze said timing data of the network traffic to determine whether the 

8 timing data is to be considered as an aberration, and 

9 modify the timing data if the timing data is to be considered as an 

10 aberration; and 

1 1 one or more processors coupled to the storage medium to execute the 

12 programming instructions. 

1 8. The apparatus of claim 7, wherein said descriptive data of network traffic are 

2 network traffic flow oriented . 

1 9. The apparatus of claim 7, wherein said network traffic collection function, 

2 when executed, enables said apparatus to perform said analyzing by comparing said 

3 timing data to timing patterns of previously received network traffic. 
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1 1 0. The apparatus of claim 7, wherein said network traffic collection function, 

2 when executed, enables said apparatus to perform said modifying by modifying said 

3 timing data to conform to timing patterns of earlier network traffic for which 

4 descriptive data were received. 

1 11. The apparatus of claim 10, wherein said network traffic collection function, 

2 when executed, further enables said apparatus to update said timing patterns of 

3 earlier network traffic with said time data of the network traffic for which descriptive 

4 data was received. 

1 1 2. The apparatus of claim 1 1 , wherein said network traffic collection function, 

2 when executed, enables said apparatus to perform said updating of the timing 

3 patterns of earlier network traffic by weighing timing data of network traffic in a 

4 manner that biases towards the timing data of earlier network traffic over timing data 

5 of later network traffic. 

1 13. A method comprising: 

2 receiving a query to be run against a collection of network traffic data; 

3 determining whether the query is to be run for a plurality of time bins; 

4 determining said time bins if the query is to be run for a plurality of time bins; 

5 and 

6 causing said query to be repeatedly run against said collection of network 

7 traffic data for said time bins using said generated looping instructions. 

1 14. The method of claim 13, wherein said query comprises specifications for a 

2 start time for a first of said time bins, a number of time bins, and a stop time for a last 
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3 of said time bins; and said first and second determining as well as said generating 

4 are performed in accordance with said specifications. 

1 15. The method of claim 14, wherein said number of time bins is explicitly 

2 specified. 

1 16. The method of claim 15, wherein said number of time bins is implicitly 

2 specified through a specification of a time bin size, specified in conjunction with said 

3 start time of the first time bin, and said stop time of the last time. 



1 17. The method of claim 13, wherein each of said repeated running of said query 

2 against said collection of network traffic data comprises automatically apportioning 

3 network traffic data between two time bins when the network traffic with which the 

4 network traffic data are associated straddles over the two time bins. 

1 18. An apparatus comprising 

2 storage medium having stored therein executable instructions designed to 

3 implement a network traffic data query facility, when executed, enables the 

4 apparatus to 

5 receive a query to be run against a collection of network traffic data, 

6 determine whether the query is to be run for a plurality of time bins, 

7 determine said time bins if the query is to be run for a plurality of time bins, 

8 and 

9 cause said query to be repeatedly run against said collection of network 

10 traffic data for said time bins using said generated looping instructions; 

11 and 
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12 one or more processors coupled to the storage medium to execute the 

13 instructions. 

1 19. The apparatus of claim 1 8, wherein said query comprises specifications for a 

2 start time for a first of said time bins, a number of time bins, and a stop time for a last 

3 of said time bins; and said network traffic query facility, when executed, enables said 

4 apparatus to perform said first and second determining as well as said generating in 

5 accordance with said specifications. 

1 20. The apparatus of claim 19, wherein said number of time bins is explicitly 

2 specified. 

1 21 . The apparatus of claim 19, wherein said number of time bins is implicitly 

2 specified through a specification of a time bin size, specified in conjunction with said 

3 start time of the first time bin, and said stop time of the last time. 

1 22. The apparatus of claim 1 8, wherein said network traffic query facility, when 

2 executed, further enables the apparatus to automatically apportion network traffic 

3 data between two time bins when the network traffic with which the network traffic 

4 data are associated straddles over the two time bins, when running said query 

5 against said collection of network traffic data for one of said time bins. 

1 23. A method comprising: 

2 retrieving a record of network traffic data to be processed as part of an 

3 execution of a query against a collection of network traffic data comprising said 

4 record of network traffic data; 
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5 determining whether said record of network traffic data was created by its 

6 originating network trafficking device under a sampling mode; 

7 determining a sampling ratio under which said record of network traffic data 

8 was created if said record of network traffic data was created by its originating 

9 network trafficking device under a sampling mode; and 

10 amplifying one or more data elements of said retrieved record of network 

1 1 traffic data in accordance with said determined sampling ratio. 

1 24. The method of claim 23, wherein said retrieved record of network traffic data 

2 comprises specifications for whether the record of network traffic data was created 

3 by its originating network trafficking device under a sampling mode, and if so, the 

4 sampling ratio; and said first and second determining are performed by analyzing 

5 said retrieved record of network traffic data. 

1 25. An apparatus comprising 



2 storage medium having stored therein executable instructions designed to 

3 implement a network traffic query facility, when executed, enables the apparatus to 

4 retrieve a record of network traffic data to be processed as part of an 

5 execution of a query against a collection of network traffic data 

6 comprising said record of network traffic data, 

7 determine whether said record of network traffic data was created by its 

8 originating network trafficking device under a sampling mode, 

9 determine a sampling ratio under which said record of network traffic data 

10 was created if said record of network traffic data was created by its 

1 1 originating network trafficking device under a sampling mode, and 
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12 amplify one or more data elements of said retrieved record of network 

13 traffic data in accordance with said determined sampling ratio; and 

14 one or more processors coupled to the storage medium to execute the 

15 instructions. 

1 26. The apparatus of claim 25, wherein said retrieved record of network traffic 

2 data comprises specifications for whether the record of network traffic data was 

3 created by its originating network trafficking device under a sampling mode, and if 

4 so, the sampling ratio; and said network traffic data query facility, when executed, 

5 further enables the apparatus to perform said first and second determining by 

6 analyzing said retrieved record of network traffic data. 

1 27. A method comprising; 

2 receiving a query to be run against a collection of network traffic data; 

3 determining if the query comprises a network traffic flow oriented command 

4 that specifies one or more processing to be performed for one or more network 

5 traffic flows; 

6 determining said one or more processing to be performed for said one or 

7 more network traffic flows; 

8 generating first byte codes for said one or more processing to be performed 

9 for said one or more network traffic flows; and 

10 generating second byte codes to repeat execution of said first byte codes 

1 1 generated for said one or more processing for said one or more network traffic flows. 

1 28. The method of claim 27, wherein said network traffic flow oriented command 

2 specifies said one or more processing are to be performed for each of said one or 
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3 more network traffic flows; and said second generating comprises generating said 

4 second byte codes which repeat execution of said first byte codes generated for said 

5 one or more processing for each of said one or more network traffic flows. 



1 29. An apparatus comprising 

2 storage medium having stored therein executable instructions designed to 

3 implement a network traffic data query facility, when executed, enables the 

4 apparatus to 

5 receive a query to be run against a collection of network traffic data, 

6 determine if the query comprises a network traffic flow oriented command 

7 that specifies one or more processing to be performed for one or more 

8 network traffic flows, 

9 determine said one or more processing to be performed for one or more 

1 0 network traffic flows, 

1 1 generate first byte codes for said one or more processing to be performed 

12 for one or more network traffic flows, and 

13 generate second byte codes to repeat execution of said first byte codes 

14 generated for said one or more processing for one or more network 

15 traffic flows; and 

16 one or more processors coupled to the storage medium to execute the 

17 instructions. 

1 30. The apparatus of claim 29, wherein said network traffic flow oriented 

2 command specifies said one or more processing are to be performed for each of 

3 said one or more network traffic flows; and network traffic query facility, when 

4 executed, enables said apparatus to generate said second byte codes which repeat 
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5 execution of said first byte codes generated for said one or more processing for 

6 each of said one or more network traffic flows, when performing said second 

7 generating. 



1 31 . A method comprising: 

2 receiving a query to be run against a collection of network traffic data; 

3 determining if the query comprises a network traffic packet oriented command 

4 that specifies one or more processing to be performed for one or more network 

5 traffic packets; 

6 determining said one or more processing to be performed for said one or 

7 more network traffic packets; 

8 generating first byte codes for said one or more processing to be performed 

9 for said one or more network traffic packets; and 

10 generating second byte codes to repeat execution of said first byte codes 

1 1 generated for said one or more processing for said one or more network traffic 

12 packets. 



1 32. The method of claim 31 , wherein said network traffic packet oriented 

2 command specifies said one or more processing are to be performed for a selected 

3 one of a first, a last and each of said one or more network traffic packets; and said 

4 second generating comprises a selected one of generating said second byte codes 

5 that execute said first byte code generated for said one more processor for a 

6 selected one of a first and a last of network traffic packets, and generating said 

7 second byte codes that repeat execution of said first byte codes generated for said 

8 one or more processing for each of said one or more network traffic packets. 
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1 33. An apparatus comprising 

2 storage medium having stored therein executable instructions designed to 

3 implement a network traffic data query facility, when executed, enables the 

4 apparatus to 

5 receive a query to be run against a collection of network traffic data, 

6 determine whether the query comprises a network traffic packet oriented 

7 command that specifies one or more processing to be performed for 

8 one or more network traffic packets, 

9 determine said one or more processing to be performed for said one or 

10 more network traffic packets, 

1 1 generate first byte codes for said one or more processing to be performed 

12 for said one or more network traffic packets, and 

13 generate second byte codes to repeat execution of said first byte code 

14 generated for said one or more processing for said one or more 

1 5 network traffic packets; and 

16 one or more processors coupled to the storage medium to execute the 



17 instructions. 

1 34. The apparatus of claim 33, wherein said network traffic packet oriented 

2 command specifies said one or more processing are to be performed for a selected 

3 one of a first, a last and each of said one or more network traffic packets; and said 

4 second generating comprises a selected one of generating said second byte codes 

5 that execute said first byte codes generated for said one more processor for a 

6 selected one of a first and a last of network traffic packets, and generating said 

7 second byte codes to repeat execution of said executable instructions generated for 

8 said one or more processing for each of said one or more network traffic packets. 
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1 35. A method comprising: 

2 receiving a query to be run against a collection of network traffic data; 

3 determining whether the query comprises a command; 

4 determining whether the command comprises an expression; 

5 determining whether the expression comprises one or more pre-determined 

6 network traffic attribute keywords; and 

7 generating byte codes for said query, including byte codes for said command 



8 using said determined one or more pre-determined network traffic attribute keywords 

9 of said expression of said command. 

1 36. The method of claim 35, wherein said one or more pre-determined network 

2 traffic attribute keywords comprise at least a selected one of a source address 

3 keyword, a destination address keyword, a next hop keyword, an ingress interface 

4 keyword, an egress interface keyword, a number of packets keyword, a number of 

5 byte keyword, a flow start time keyword, a flow end time keyword, a source port 

6 keyword, a destination port keyword, a TCP flag keyword, a protocol keyword, a type 

7 of service keyword, a source autonomous system keyword, a destination 

8 autonomous keyword, a source network address mask keyword, a destination 

9 network address mask keyword, and a number of network traffic flow keyword. 

1 37. The method of claim 35, wherein said one or more pre-determined network 

2 traffic attribute keywords comprise at least a selected one of an original flow type 

3 keyword, a number of entries in a packet keyword, a router uptime keyword, a time 

4 keyword, an aggregation method keyword, an aggregation version keyword, a 

5 sampling interval keyword, and a sender address keyword. 
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1 38. An apparatus comprising 

2 storage medium having stored therein executable instructions designed to 

3 implement a network traffic data query facility, when executed, enables the 

4 apparatus to 

5 receive a query to be run against a collection of network traffic data; 

6 determine whether the query comprises a command; 

7 determine whether the command comprises an expression; 

8 determine whether the expression comprises one or more pre-determined 

9 network traffic attribute keywords, and 

10 generate byte codes for said query, including byte codes for said 

1 1 command using said determined one or more pre-determined network 

12 traffic attribute keywords of said expression of said command; and 

1 3 one or more processors coupled to the storage medium to execute the 

14 instructions. 

1 39. The apparatus of claim 38, wherein said one or more pre-determined network 

2 traffic attribute keywords comprise at least a selected one of a source address 

3 keyword, a destination address keyword, a next hop keyword, an ingress interface 

4 keyword, an egress interface keyword, a number of packets keyword, a number of 

5 byte keyword, a flow start time keyword, a flow end time keyword, a source port 

6 keyword, a destination port keyword, a TCP flag keyword, a protocol keyword, a type 

7 of service keyword, a source autonomous system keyword, a destination 

8 autonomous keyword, a source network address mask keyword, a destination 

9 network address mask keyword, and a number of network traffic flow keyword. 
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1 40. The apparatus of claim 38, wherein said one or more pre-determined network 

2 traffic attribute keywords comprise at least a selected one of an original flow type 

3 keyword, a number of entries in a packet keyword, a router uptime keyword, a time 

4 keyword, an aggregation method keyword, an aggregation version keyword, a 

5 sampling interval keyword, and a sender address keyword. 
1 
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